Multiple Apache HTTP Server Vulnerabilities Fixed in Ubuntu
The Ubuntu security team recently addressed several Apache HTTP Server vulnerabilities in Ubuntu 23.10, Ubuntu 23.04, Ubuntu 22.04 LTS, Ubuntu 20.04 LTS, Ubuntu 16.04, and Ubuntu 18.04. These vulnerabilities could potentially allow attackers to disrupt server functionality or even inject malicious code. Let’s break down the issues and how to stay secure.
Apache HTTP Server Vulnerabilities
CVE-2023-38709, CVE-2024-24795
Two separate vulnerabilities were discovered that involve the Apache HTTP Server mishandling certain inputs. These flaws could be exploited by attackers to inject malicious code into server responses, potentially compromising user data or website functionality.
Another vulnerability specifically affects the HTTP/2 module of Apache. This issue allowed attackers to send endless data streams, overwhelming the server and causing a denial-of-service (DoS) attack, essentially taking the server offline.
A flaw in how Apache’s mod_macro module manages memory could be exploited by remote attackers to crash the server. This crash would render the server unavailable, effectively creating a denial-of-service (DoS) attack.
Mitigating Vulnerabilities
To address these vulnerabilities, it is imperative to promptly update systems with the latest apache2 versions. Unfortunately, official security updates from Ubuntu stop once a version reaches its End-of-Life (EOL). Therefore, security updates for EOL systems like Ubuntu 16.04 and Ubuntu 18.04 are only available through Ubuntu Pro. While subscribing to Ubuntu Pro offers continued security updates, the high cost can be a barrier for some users. This is where Extended Lifecycle Support (ELS) from a provider like TuxCare comes in.
TuxCare’s Extended Lifecycle Support provides an affordable option, providing vendor-grade security patches for up to five additional years. This means you continue to receive critical security fixes, including those that address vulnerabilities in Apache HTTP Server like the ones mentioned above. Also, TuxCare has already released patches for these vulnerabilities. You can find the vulnerabilities and their patch status on our CVE Dashboard.
Send patching-related questions to a TuxCare security expert to learn more about securing your End-of-Life Linux systems.
Source: USN-6729-2